Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple to Expand Support for Passwordless Sign-Ins Across Websites and Apps

macsplusmacs said:
A cop, (in the USA) if he pulls one over, can ask for your thumb or face unlock but not your 123 type code password I think?

I think that is the latest about that. anyone?


A good practice is to turn off your phone if you get pulled over. Then if they demand to see it, the phone, turn it on and will ask for the code and you can tell the cop to get a warrant.
Click to expand...
It really depends. States have ruled differently on whether biometric data is protected or not, but passcodes are generally protected is my understanding. That's why the article says it is "murky".
Also, they do not generally have a right to search your phone in a traffic stop though there have been reports that some have done so anyway: https://www.eff.org/issues/know-your-rights
 
  • Like
Reactions: macsplusmacs
Bring it on. I'm fed up with apps that ask for my password over and over, even when it's supposed to be storing the password/biometric information for fast and secure password-free login.

After this, can we fix the ridiculous cookie notices? Trying to turn those off requires scrolling through a document as long as War And Peace to find a link that makes you leave the site you wanted, and then give them information you don't want to share in the first place.
 
  • Like
Reactions: dysamoria
bookofxero said:
It really depends. States have ruled differently on whether biometric data is protected or not, but passcodes are generally protected is my understanding. That's why the article says it is "murky".
Also, they do not generally have a right to search your phone in a traffic stop though there have been reports that some have done so anyway: https://www.eff.org/issues/know-your-rights
Click to expand...

thanks for posting that link!
 
  • Like
Reactions: TheYayAreaLiving 🎗️
cambric said:
It is the year 2022 and Apple still requires users to have SMS as a fallback two-factor method
Click to expand...
Their whole method of verification annoys the ? out of me.

And the frequency they make you verify yourself on the same device.
 
kiranmk2 said:
Hope this works - even using a password manager is more hassle than it needs to be. The use of biometrics will hopefully also remove the need for 2FA codes.
Click to expand...
Using biometry effectively reduces security to the 6-digit passcode of the device (since if you obtain the passcode you can change biometry)!
 
Superficially great, but with it looking increasingly likely that all internet use will sooner or later require biometric verification, then personally I will approach this idea with one raised eyebrow and a healthy dose of scepticism. As always, be careful what you wish for.
 
yossi said:
How does this factor in someone accessing the accounts of someone who passes away? I have a binder of all my acconts and passwords for my wife in the event that I die. What will she do if this service becomes dominant?
Click to expand...
Similarly, how do you share login details with this system for shared access?
My spouse and I share credentials for things like paying utility bills.
 
BootsWalking said:
For those asking how this works, here's a simplified explanation based on my understanding from reading and watching the online resources about it.

To register on a new site, say widget.com
  1. You go widget.com and navigate to its new-account creation page
  2. Type in what you want your username to be and then click "create account"
  3. Your phone will bring up a system sheet confirming you want to create a credential for widget.com. After you confirm, the phone will create a site-specific credential token (called "passkey" in FIDO parlance), the security of which is based on public-key encryption.
  4. The phone will store the token and private-key portion of the token on your iCloud Keychain. It will share the public-key portion of the token with widget.com so it can save it on their server.
Whenever you visit widget.com in the future, Safari will know you have a saved credential for the site and will confirm you'd like to login, similar to how it works today for traditional passwords saved in your keychain, including you proving you have rightful access to your keychain (Face ID, passkey, etc...). But instead of a password, Safari will present the passkey (token) to the site (which it already has stored on their server to compare), then verify you're the rightful owner of the token by proving to the site that your phone has the private key associated with the token (challenge/response).
Click to expand...
So this requires the use of Safari? What if you want to switch to a different browser?
 
Needs to be implemented as soon as possible. Definitely a better idea and more secure
 
cambric said:
Not sure how you could interpret my post as being against mandatory 2FA. I didn’t mean that.

I’m against Apple requiring the insecure method of SMS codes, with no way of removing my phone number and no option of using TOTP codes, backup codes or physical security keys for 2FA.
Click to expand...
OK. so there you have something concrete to discuss and I don't even disagree with you.
 
I was hoping someone would answer what I asked earlier, what happens if you lose your mobile phone which is the device used to setup the passwordless account ? how do you recover ? is there a path like forgot password (but that does not exist) ? trying to understand this.
 
  • Like
Reactions: Tagbert
monster620ie said:
I was hoping someone would answer what I asked earlier, what happens if you lose your mobile phone which is the device used to setup the passwordless account ? how do you recover ? is there a path like forgot password (but that does not exist) ? trying to understand this.
Click to expand...

Someone mentioned it is in your iCloud keychain. so it's not? just on the phone.
 
  • Like
Reactions: TheYayAreaLiving 🎗️ and monster620ie
LeadingHeat said:
Can someone explain the security of this? Obviously I doubt that my facial data would be shared with the website, but how does it remain secure?
Click to expand...

You have an abstract software or hardware 'thing' which performs authentication, called an "Authenticator", which can prove either user presence and consent, or perform user verification (e.g. local authentication). Since authentication is basically proving that you are the same party as seen previously, it is done by creating and later using public-private key cryptography. This is the same technology that say a Yubikey has supported for many years - a modern USB security key is another supported type of Authenticator.

You as a user will register your phone with a site either on registration or while logged in - which shares a new, unique public key with the site. When you try to log in later the authenticator is invoked (aka a local FaceID or passcode check), which releases the use of the private key to 'prove' it is the same person to the web site. This is all done using a W3C standard called the Web Authentication API.

Native apps support this in much the same way, but the API is vendor specific. A native app will usually only be able to request this for websites where the site administrator has opted-in an app, to prevent phishing.

The public key is unique to the registration, and the authenticator by default is anonymized (e.g. they know it was an apple device, potentially down to make and model of phone, but not that it is a specific phone). As a result, the same phone can be used to authenticate across the internet without different websites being able to correlate and track you.

Because the authentication happens at the browser/platform level rather than via site javascript, it privates a strong phishing protection - it is basically impossible (without the platform, browser, or site being compromised) for someone to 'trick' you to authenticate into a fake site, then turn around and leverage that to get into your real account.

For example, Google announced a few years ago that when they had employees go to this model (using hardware security keys at the time) they had their phishing-related security incidents drop to zero. https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

So your biometric data never leaves your phone, instead it works in terms of dynamically generated public/private keys.

The two big things today are:

1. Support for synchronizing the private keys and site registrations the same way that the platform-implemented password managers synchronize passwords for sites today. On Apple platforms, this is done atop iCloud Keychain. So, if I set this up on my phone it will automatically work later when I try to go to that site on my Mac, using the Mac's TouchID.

2. Support for use of cell phones as authenticators across platforms. So if I have an android phone and set that up with a site, I have a way to my android phone to log into a site while on my Mac.

Would website devs need to drastically change how they code websites or would the phone handle the translation between the website asking for a password and the user just being able to scan their face?
Click to expand...

This is a different, more secure mechanism than passwords. So the site needs to have code that can handle the public/private key cryptography, to store it, and to handle the authentication request/response messages that leverage them.

The site will also need some javascript on the page to request this be used, typically behind an additional login option button. There is code out there to help with this, typically with both back-end server and front-end web framework components. For many sites, they will want to add more logic to support and promote this - for instance, to allow for multiple registrations (e.g. my iPhone and my Windows desktop can both work to sign in to a site), and possibly to edge people toward deleting any legacy password option.

There is separate ongoing work, outside what was announced today, to try to optimize the overall user experience. The addition of a new login option button means the user needs to have education on what that does. It would be far better if (as a few websites already do) you just had a prompt from the site - "Would you like to use FaceID/TouchID to sign in going forward?". Then, when you return to the web site in the future, your browser itself handles surfacing that as a potential login option.
 
  • Like
Reactions: sos47, MuppetGate, BurgDog and 1 other person
That great!
But do Apple will take that also for their devices…?
My mom was a rebel and still used a Nokia and just now bought an iPhone and a MBA and only to be able to use them need:
E-mail address
Password for the email
iCloud
Password for iCloud
password for MBA
Fingers print
SIM code
Password for iPhone
Face ID
 
This is the Christmas gift of the century. Finally.
One of the big reasons for me to jump and stick to macOS and anything built-in/default (Safari, Mail, etc etc) was because the Keychain passwords handling between all devices made it a breeze.
And I kinda trust more Apple’s native OSs credentials handling than the constant Chrome, Firefox, IE/Edge, etc asking to save said credentials all the time.

Sign me for an even more homogeneous credentials management.
 
  • Like
Reactions: sos47 and dysamoria
mrbobdobolina said:
I have relatives who are very vocal about how much they hate [remembering] passwords. I think this would be a welcome convenience for many people if it works as advertised.
Click to expand...
I hate it myself. I track 180+ accounts on a damned spreadsheet.

Thing is, a single sign on is also great for whoever compromises your single sign on, right?
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back